Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,230
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,504
Pub
12
RubyGems
996
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,504 advisories

Loading
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft High
CVE-2026-33010 was published for mcp-memory-service (pip) Mar 7, 2026
yotampe-pluto Credited to yotampe-pluto
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality High
GHSA-5r2p-pjr8-7fh7 was published for sagemaker (pip) Mar 5, 2026
daridor9 Credited to daridor9
Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure High
CVE-2026-30244 was published for plane (pip) Mar 5, 2026
Sanu1999 Credited to Sanu1999
Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer High
CVE-2026-30242 was published for plane (pip) Mar 5, 2026
ByamB4 Credited to ByamB4
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint Moderate
CVE-2026-29787 was published for mcp-memory-service (pip) Mar 5, 2026
yotampe-pluto Credited to yotampe-pluto
RAGAS has an Arbitrary File Read vulnerability High
CVE-2025-45691 was published for ragas (pip) Mar 5, 2026
LangGraph checkpoint loading has unsafe msgpack deserialization Moderate
CVE-2026-28277 was published for langgraph (pip) Mar 5, 2026
xgrammar vulnerable to DoS via multi-layer nesting High
CVE-2026-25048 was published for xgrammar (pip) Mar 5, 2026
ylwango613 Credited to ylwango613
Python-Markdown has an Uncaught Exception Moderate
CVE-2025-69534 was published for Markdown (pip) Mar 5, 2026
django-allauth has an open redirect vulnerability Moderate
CVE-2026-27982 was published for django-allauth (pip) Mar 5, 2026
dbt-common's commonprefix() doesn't protect against path traversal Low
CVE-2026-29790 was published for dbt-common (pip) Mar 5, 2026
sethmlarson Credited to sethmlarson and emmyoop emmyoop emmyoop
pyLoad has an Arbitrary File Write via Path Traversal in edit_package() High
CVE-2026-29778 was published for pyload-ng (pip) Mar 5, 2026
BaranTeyin1 Credited to BaranTeyin1 and MetinGerdan MetinGerdan MetinGerdan
eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write Moderate
CVE-2026-29780 was published for eml-parser (pip) Mar 5, 2026
redyank Credited to redyank
Fickling missing RCE-capable modules in UNSAFE_IMPORTS High
GHSA-5hwf-rc88-82xm was published for fickling (pip) Mar 4, 2026
yash2998chhabria Credited to yash2998chhabria
Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked High
GHSA-wccx-j62j-r448 was published for fickling (pip) Mar 4, 2026
mldangelo Credited to mldangelo
changedetection.io has Zip Slip vulnerability in the backup restore functionality High
CVE-2026-29065 was published for changedetection.io (pip) Mar 4, 2026
pussycat0x Credited to pussycat0x and neo-ai-engineer neo-ai-engineer neo-ai-engineer
changedetection.io vulnerable to XPath - Arbitrary File Read via unparsed-text() High
CVE-2026-29039 was published for changedetection.io (pip) Mar 4, 2026
DhiyaneshGeek Credited to DhiyaneshGeek and neo-ai-engineer neo-ai-engineer neo-ai-engineer
changedetection.io has Reflected XSS in its RSS Tag Error Response Moderate
CVE-2026-29038 was published for changedetection.io (pip) Mar 4, 2026
Akokonunes Credited to Akokonunes
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification High
CVE-2026-28802 was published for authlib (pip) Mar 4, 2026
michael-guignard Credited to michael-guignard
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links High
CVE-2026-28681 was published for irrd (pip) Mar 4, 2026
BrookeYangRui Credited to BrookeYangRui
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's pkgutil.resolve_name has a universal blocklist bypass Critical
GHSA-vvpj-8cmc-gx39 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-7wx9-6375-f5wh was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface Moderate
CVE-2026-28223 was published for wagtail (pip) Mar 3, 2026
GCXWLP Credited to GCXWLP, RealOrangeOne, and gasman RealOrangeOne RealOrangeOne
gasman gasman
Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes Moderate
CVE-2026-28222 was published for wagtail (pip) Mar 3, 2026
GCXWLP Credited to GCXWLP, RealOrangeOne, and gasman RealOrangeOne RealOrangeOne
gasman gasman
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database